Understanding alerts and logs
Zone Labs security software alert and logging features keep you aware of what’s happening on your computer without being overly intrusive, and enable you to go back at any time to investigate past alerts. Expert rule options let you track not only blocked traffic, but allowed traffic as well, giving advanced users maximum information options when customizing security rules for their environment.
About Zone Labs security software alerts
Zone Labs security software alerts fall into three basic categories: informational, program, and network. Additional alerts that may appear based on the version of Zone Labs security software you are using include ID Lock alerts and OSFirewall alerts.
To learn about the types of alerts that appear and how to respond to them, see Appendix A,“Alert reference,” starting on page 210.
Chapter 9: Alerts and Logs About Zone Labs security software alerts
Informational alerts
Informational alerts tell you that Zone Labs security software has blocked a communication that did not fit your security settings. The most common type of informational alert is the Firewall alert.
Figure 9-1: Firewall alert
Informational alerts don’t require a decision from you. You can close the alert by clicking the OK button at the bottom of the alert. By doing this you are not allowing any traffic to access your computer.
Program alerts
Program alerts ask you if you want to allow a program to access the Internet or local network, or to act as a server. Program alerts require an Allow or Deny response. The
The IP address of the computer that sent the blocked packet, the protocol that was used, and/or the port to which the packet was addressed.
The date and time the alert occurred.
The number of alerts that have occurred since the alert box opened. Use the arrow controls to view the alerts.
28th of 74 alerts
Click More Info to submit alert data to SmartDefense For quieter security, select this
check box before clicking OK.
Chapter 9: Alerts and Logs About Zone Labs security software alerts
most common types of Program alerts are the New Program alert and Repeat Program alert.
Figure 9-2: New Program alert
By clicking the Allow button, you grant permission to the program. By clicking the Deny button, you deny permission to the program.
The name of the program that is requesting permission.
The filename of the program that requested permission, and the IP address and port num-ber of the computer that the program is trying to contact.
When available, this area displays program advice. If no advice is available, click More Info to submit alert data to SmartDefense Advi-sor.
Select this check box before clicking Allow or Deny to avoid seeing an alert for this program again.
Chapter 9: Alerts and Logs About Zone Labs security software alerts
New Network alerts
New Network alerts occur when you connect to any network—be it a wireless home network, a business LAN, or your ISP’s network.
Figure 9-3: New Network alert
The type of network (wireless or other), IP address, and subnet mask of the detected network.
Type a name of the network here. This name appears in the Zones tab so that you can recognize the network later.
Select the Zone in which to place the new network. Put the network in the Trusted Zone only if you know that it is your home or busi-ness LAN and not your ISP.
For more help configuring your net-work, access the Network Configu-ration Wizard.
Click OK to place the
network in the selected Zone and close the alert box.
Chapter 9: Alerts and Logs About Zone Labs security software alerts
ID Lock alerts
If they have enabled the ID Lock feature, users of ZoneAlarm Pro and ZoneAlarm Security Suite may see ID Lock alerts if the personal information stored in myVAULT is sent to a destination that is not listed on their Trusted Sites list.
Figure 9-4: ID Lock alert
By clicking the Yes button, you grant permission to send the information to the requesting IP address. If you do not want to be alerted the next time myVAULT data is sent to this destination, select the “Do you want to remember...” check box to add the destination to your Trusted Sites list.
OSFirewall alerts
There are two types of OSFirewall alerts that you may see: Suspicious and Malicious.
Both of these OSFirewall alerts inform you that ZoneAlarm Security Suite has detected
The description of the information being sent.
This area displays the application trying to send the information and the IP address of the computer it’s being sent to.
Select this check box to add this destination to your Trusted Sites list.
Click More Info to submit alert data to SmartDefense
Chapter 9: Alerts and Logs About Zone Labs security software alerts
a program on your computer performing an action that could be harmful to your data or computer.
Figure 9-5: Suspicious Behavior alert
Suspicious Behavior alerts inform you of actions that may change the default behavior of a program, for example, if a program were to modify your browser’s home page, you would see a suspicious behavior alert. Whereas Dangerous Behavior alerts inform you
A description of the detected behavior.
The filename of the appli-cation attempting the behavior.
Select this check box to allow or deny this action in the future without alerting you.
Click More Info to submit alert data to SmartDefense Advisor.
Chapter 9: Alerts and Logs About Zone Labs security software alerts
of actions that may cause programs or your operating system to stop functioning normally, or which could be spyware trying to monitor your activity.
Figure 9-6: Dangerous Behavior alert
For more information about OSFirewall alerts and the types of behavior detected, see Appendix D,“Program behavior,” starting on page 264.
A description of the detected behavior.
The filename of the appli-cation attempting the behavior.
Select this check box to allow or deny this action in the future without alerting you.
Click More Info to submit alert data to SmartDefense Advisor.
Chapter 9: Alerts and Logs About event logging
About event logging
By default, Zone Labs security software creates a log entry every time traffic is blocked, whether an alert is displayed or not. Log entries record the traffic source and
destination, ports, protocols, and other details. The information is recorded to a text file named ZALOG.txt, stored in the Internet Logs folder. Every 60 days, the log file is archived to a dated file so that it doesn’t become too large.
You can choose to prevent specific categories of events from being logged—for example, you may want to create log entries only for firewall alerts, or suppress entries for a particular type of Program alert. You can also have Zone Labs security software log specific types of traffic you have decided to allow, by creating expert rules with tracking features enabled.
Chapter 9: Alerts and Logs Setting basic alert and log options
Setting basic alert and log options
Basic alert and log options let you specify the type of event for which Zone Labs security software displays an alert and for which events it creates a log entry.
Setting the alert event level
The Alert Events Shown control, in the Main tab of Alerts & Logs, lets you control the display of alerts by rating. Program and ID Lock alerts are always displayed, because they ask you to decide whether to grant permission.
To set the alert event level:
1. Select Alerts & Logs|Main.
2. In the Alert Events Shown area, select the desired setting.
Setting event and program logging options
Use the Event Logging and Program Logging areas to choose what types of informational alerts and program alerts will be logged.
To enable or disable event logging and program logging:
1. Select Alerts & Logs|Main.
2. In the Event Logging area, select the desired setting.
3. In the Program Logging area, specify the log level.
High Displays an alert for every security event that occurs, both high-rated and medium-rated.
Med Displays only high-rated alerts, which are most likely a result of hacker activity.
Off Displays Program and ID Lock alerts only. Informational alerts are not displayed.
On Creates a log entry for all events.
Off No events are logged.
High Creates a log entry for all program alerts.
Med. Creates a log entry for high-rated program alerts only.
Off No program events are logged.
Chapter 9: Alerts and Logs Showing or hiding specific alerts
Showing or hiding specific alerts
You can specify whether you want to be alerted to all security and program events, or if you only want to be notified of events that are likely a result of hacker activity.
Showing or hiding firewall alerts
The Alert Events tab gives you more detailed control of alert display by allowing you to specify the types of blocked traffic for which Firewall and Program alerts are displayed.
To show or hide firewall or program alerts:
1. Select Alerts & Logs|Main, then click Advanced.
The Alert & Log Settings dialog appears.
2. Select the Alert Events tab.
3. In the Alert column, select the type of blocked traffic for which Zone Labs security software should display an alert.
4. Click Apply to save your changes.
Enabling system tray alerts
When you choose to hide some or all informational alerts, Zone Labs security software can still keep you aware of those alerts by showing a small alert icon in the system tray.
To enable system tray alerts:
1. Select Alerts & Logs|Main.
2. Click Advanced, then click the System Tray Alert tab.
3. Select the Enable system tray alert icon check box.
Chapter 9: Alerts and Logs Setting event and program log options
Setting event and program log options
You can specify whether Zone Labs security software keeps record of security and program events by enabling or disabling logging for each type of alert.
Formatting log appearance
Use these controls to determine the field separator for your text log files.
To format log entries:
1. Select Alerts & Logs, then click Advanced.
The Advanced Alerts and Log Settings dialog appears.
2. Select the Log Control tab.
3. In the Log Archive Appearance area, select the format to be used for logs.
Customizing event logging
By default, Zone Labs security software creates a log entry when a high-rated firewall event occurs. You can customize Firewall alert logging by suppressing or allowing log entries for specific security events, such as MailSafe quarantined attachments, Blocked non-IP packets, or Lock violations.
To create or suppress log entries based on event type:
1. Select Alerts & Logs|Main.
2. Click Advanced.
The Advanced Alerts and Logs dialog box appears.
3. Select Alert Events.
4. In the Log column, select the type of event for which Zone Labs security software should create a log entry.
5. Click Apply to save your changes.
6. Click OK to close the Alert & Log Settings dialog.
Customizing program logging
By default, Zone Labs security software creates a log entry when any type of Program alert occurs. You can customize Program alert logging by suppressing log entries for specific Program alert types, such as New Program alerts, Repeat Program alerts, or Server Program alerts.
Tab Select Tab to separate fields with a tab character.
Comma Select Comma to separate fields with a comma.
Semicolon Select Semicolon to separate log fields with a semicolon.
Chapter 9: Alerts and Logs Viewing log entries
To create or suppress log entries based on event type:
1. Select Alerts & Logs|Main.
2. In the Program Logging area, click Custom.
3. In the Program Logs column, select the type of event for which Zone Labs security software should create a log entry.
4. Click Apply to save your changes.
5. Click OK to close the Alert & Log Settings dialog.
Viewing log entries
You can view log entries two ways: in a text file using a text editor, or in the Log Viewer.
Although the format each type of log differs slightly, the general information contained in the log is the same.
To view the current log in the Log Viewer:
1. Select Alerts & Logs|Log Viewer.
2. Select the number of alerts to display (from 1 to 999) in the alerts list.
You can sort the list by any field by clicking the column header. The arrow (^) next to the header name indicates the sort order. Click the same header again to reverse the sort order.
3. Select the type of alert you want to view:
Anti-virus Displays the Date/Time, Type, Virus Name, File Name, Action Taken, Mode, and E-mail Info columns.
Firewall Displays the Rating, Date/Time, Type, Protocol, Program, Source IP, Destination IP, Direction, Action Taken, Count, Source DNS, and Des-tination DNS columns.
IM Security Displays the Date/Time, Type, Source, Program, Local User, Remote User, and Action columns.
OSFirewall Displays the Rating, Date/Time, Type, Subtype, Data, Program, Direc-tion, Action Taken, and Count columns.
Program Displays the Rating, Date/Time, Type, Program, Source IP, Destination IP, Direction, Action Taken, Count, Source DNS, and Destination DNS columns.
Anti-spyware Displays the Date, Type, Spyware name, Filename, Action, and Actor columns.
Chapter 9: Alerts and Logs Viewing log entries
Field Information
Description A description of the event.
Direction The direction of the blocked traffic.
“Ining” means the traffic was sent to your com-puter. “Outgoing” means the traffic was sent from your computer.
Type The type of alert: Firewall, Program, ID Lock,
or Lock Enabled.
Source DNS The domain name of the computer that sent
the traffic that caused the alert.
Source IP The IP address of the computer that sent the
traffic that Zone Labs security software blocked.
Rating Each alert is high-rated or medium-rated.
High-rated alerts are those likely to have been caused by hacker activity. Medium-rated alerts are likely to have been caused by unwanted but harmless network traffic.
Protocol The communications protocol used by the
traffic that caused the alert.
Action Taken How the traffic was handled by Zone Labs
security software.
Destination DNS The domain name of the intended addressee of the traffic that caused the alert.
Destination IP The address of the computer the blocked traffic was sent to.
Count The number of times an alert of the same
type, with the same source, destination, and protocol, occurred during a single session.
Date/Time The date and time the alert occurred.
Program The name of the program attempting to send
or receive data. (Applies only to Program and ID Lock alerts).
Table 9-6: Log viewer fields
Chapter 9: Alerts and Logs Viewing the text log
Viewing the text log
By default, alerts generated by Zone Labs security software are logged in the file,
ZAlog.txt. If you are using Windows95, Windows98 or Windows Me, the file is located in the following folder: (x):\Windows\Internet Logs. If you are using WindowsNT or Windows2000, the file is located in the following folder: (x):\Winnt\Internet Logs.
To view the current log as a text file:
1. Select Alerts & Logs|Main.
2. Click Advanced.
The Advanced Alerts & Log Settings dialog box opens.
3. Select the Log Control tab.
In the Log Archive Location area, click View Log.
Chapter 9: Alerts and Logs Viewing the text log
Text log fields
Log entries contain some combination of the fields described in the table below.
Field Description Example
Type The type of event recorded. FWIN
Date The date of the alert, in format yyyy/mm/dd 2001/12/31(December 31, 2001)
Time The local time of the alert. This field also dis-plays the hours difference between local and Greenwich Mean Time (GMT).
Virus Name The name of the virus that caused the event.
This field only appears for anti-virus events.
iloveyou
File name The name of the file that caused the event.
This field only appears for Anti-virus events.
iloveyou.exe
Action How the event was handled. The value for this field will depend on the type of event that occurred.
Anti-virus: Renamed IM Security: Encrypted MailSafe: Quarantined ID Lock: Blocked Category The ID Lock category of information that was
detected in the event. This field only appears for ID Lock events.
Access PIN
Program The program sending or receiving the e-mail that contains the ID Lock information. This field only appears for ID Lock events.
Outlook.exe
Source The IP address of the computer that sent the blocked packet, and the port used; OR the program on your computer that requested access permission.
192.168.1.1:7138 Outlook.exe
Destination The IP address and port of the computer the blocked packet was addressed to.
192.168.1.101:0
Alerts and Logs Archiving log entries
Archiving log entries
At regular intervals, the contents of ZAlog.txt are archived to a date-stamped file, for example, ZALog2004.06.04.txt (for June 4, 2004). This prevents ZAlog.txt from becoming too large.
To view archived log files, use Windows Explorer to browse to the directory where your logs are stored.
To set archive frequency:
1. Select Alerts & Logs|Main, then click Advanced.
2. Select the Log Control tab.
3. Select the Log Archive Frequency check box.
4. In the Log Frequency area, specify the log frequency (between 1 and 60 days), then click Apply.
Specifying the archive location
The ZAlog.txt file and all archived log files are stored in the same directory.
To change the log and archive location:
1. Select Alerts & Logs|Main.
2. Click Advanced.
The Advanced Alerts & Log Settings dialog box opens.
3. Select the Log Control tab.
4. In the Log Archive Location area, click Browse.
Select a location for the log and archive files.
Transport The protocol (packet type) involved. UDP
Field Description Example
If the Log Archive Frequency check box is not selected, Zone Labs security software continues to log events for display in the Log Viewer tab, but does not archive them to the ZAlog.txt file.
Alerts and Logs Using SmartDefense Advisor and Hacker ID
Using SmartDefense Advisor and Hacker ID
Zone Labs SmartDefense Advisor is a service that enables you to instantly analyze the possible causes of an alert, and helps you decide how to respond. When available, SmartDefense Advisor provides advice as to how to respond to Program alerts. If no advice is available, click More Info in the alert to receive more information about the alert. SmartDefense Advisor returns an article that explains the alert and gives you advice on what, if anything, you need to do to ensure your security.
To determine the physical location and other information about the source IP address or destination IP address in an alert, click the Hacker ID tab. This tab displays available
To determine the physical location and other information about the source IP address or destination IP address in an alert, click the Hacker ID tab. This tab displays available